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Abstract Parametric timed automata (PTAs) are a 
powerful formalism to reason, simulate and formally ver- 
ify critical real-time systems. After 25 years of research 
on PTAs, it is now well-understood that any non-trivial 
problem studied is undecidable for general PTAs. We 
provide here a survey of decision and computation prob- 
lems for PTAs. On the one hand, bounding time, bound- 
ing the number of parameters or the domain of the pa- 
rameters does not (in general) lead to any decidability. 
On the other hand, restricting the number of clocks, the 
use of clocks (compared or not with the parameters), 
and the use of parameters (e. g., used only as upper or 
lower bounds) leads to decidability of some problems. 
We also put emphasis on open problems. We also discuss 
formalisms close to parametric timed automata (such 
as parametric hybrid automata or parametric interrupt 
timed automata), and we study tools dedicated to PTAs 
and their extensions. 


Key words: decidability, decision problems, paramet- 
ric timed model checking, parameter synthesis, L/U- 
PTAs, hybrid automata 


1 Introduction 


The absence of undesired behaviors in real-time crit- 
ical systems is of utmost importance in order to en- 
sure the system safety. Model checking aims at for- 
mally verifying a model of the system against a cor- 
rectness property. Timed automata (TAs) are a pop- 
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ular formalism to model and verify safety critical sys- 
tems with timing constraints. TAs extend finite state 
automata with clocks, i. e., real-valued variables increas- 
ing linearly [AD94]. These clocks can be compared with 
integer constants in guards (sets of linear inequalities 
that must be satisfied to take a transition) and invari- 
ants (sets of linear inequalities that must be satisfied to 
remain in a location). TAs have been widely studied (see 
e. g., [AM04]), and several state-of-the-art model check- 
ers (such as UPPAAL [LP Y97] or PAT [Sun+09]) support 
TAs as an input language. 


TAs benefit from many interesting decidable prop- 
erties, such as the emptiness of the accepted language, 
the reachability of a control state, etc. Other problems 
are undecidable though, such as the universality of the 
accepted timed language; in addition, given a TA, build- 
ing a TA recognizing the complement of the timed lan- 
guage of the first TA cannot be achieved in general. TAs 
were also studied in a robust version, i.e., when all tim- 
ing guards can be enlarged or shrinked by an infinitesi- 
mal constant factor, without changing the language, the 
reachability of a control state, etc. (see [Marl1; BMS13} 
for surveys). 


However, TAs also suffer from some limitations. 
First, they cannot be used to specify and verify systems 
incompletely specified (i.e., whose timing constants are 
not known yet), and hence cannot be used in early de- 
sign phases. Second, verifying a system for a set of timing 
constants usually requires to enumerate all of them one 
by one if they are supposed to be integer-valued; in ad- 
dition, TAs cannot be used anymore to verify a system 
for a set of timing constants that are to be taken in a 
rational- or real-valued dense interval. Third, robustness 
in TAs often assumes that all guards can be enlarged 
or shrinked by the same small variation; considering in- 
dependent variations or considering both enlarging and 
shrinking was not addressed. 


Parametric timed automata (PTAs) overcome these 
limitations by allowing the use of parameters (i.e., un- 
known constants) in guards and invariants [AHV93]. 
This increased expressive power comes at the price of the 
undecidability of most interesting problems—at least in 
the general case. 

In this paper, we consider decision problems for PTAs 
proposed in the past 25 years. On the one hand, bound- 
ing time, bounding the number of parameters or the do- 
main of the parameters does not (in general) lead to any 
decidability. On the other hand, restricting the number 
of clocks, the use of clocks (compared or not with the 
parameters), and the use of parameters (e. g., used only 
as upper or lower bounds) can lead to the decidability of 
some problems. In addition, an extension to parameters 
of some variants of timed automata benefit from some 
decidability results, such as reset-PTAs and parametric 
interrupt timed automata. 


Related surveys To the best of our knowledge, no survey 
was dedicated specifically to decision problems for PTAs. 
Moreover, in addition to numerous results in the past 
25 years proved in various settings with different syntax 
and assumptions, recent results in the field in the past 
three years justify the need for a clear picture of these 
updated (un)decidability results. Furthermore, survey- 
ing decision problems for PTAs has important practical 
implications as, for undecidable decision problems, the 
associated synthesis problems cannot be solved exactly. 

Related works include [AM04] that studies decid- 
ability results of timed automata. In [Marl1; BMS13], 
various problems related to the robustness in TAs are 
studied. Then, [Hen+98] is not a survey, but exhibits 
decidable subclasses of hybrid automata, an extension 
of timed automata where variables can have (in gen- 
eral) arbitrary rates. Then, [Asa+12] acts both as a sur- 
vey and as a contribution paper that studies hybrid au- 
tomata with “low dimensions”, i.e., with few variables. 
Our survey is also concerned (in Section 4) with decid- 
ability results for PTAs with few variables (i. e., clocks 
and parameters). 


About this manuscript This manuscript is a revised and 
extended version of [And16b]. New results unpublished 
at the time of [And16b] were added. Moreover, Table 2 
was improved, and its description and summary was sig- 
nificantly enhanced. In addition, two new sections were 
added: formalisms beyond PTAs are studied in Section 6 
and tools and applications of PTAs are reviewed in 
Section 7. 


Outline In Section 2, we propose a unified syntax for 
PTAs, and we define the decision problems that we will 
consider throughout this manuscript. In Section 3, we 
recall general undecidability results for PTAs. We then 
study in Section 4 the decidability when restricting the 
syntax of PTAs (number of variables, syntax of the con- 
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Operator 





Table 1: Syntax of operators in guards 


straints, etc.). We consider specifically in Section 5 the 
subclass of PTAs where parameters must be used ei- 
ther always as lower-bounds or always as upper-bounds, 
namely L/U-PTAs. Formalisms beyond PTAs, including 
parametric versions of hybrid automata, interrupt timed 
automata and time Petri nets, are studied in Section 6. 
Tools supporting PTAs and known applications of PTAs 
are reviewed in Section 7. We conclude by emphasizing 
open problems in Section 8. 


2 Parametric timed automata and problems 


2.1 Clocks, parameters and constraints 


Let Z, N, Q+ and R*™ denote the sets of (possibly nega- 
tive) integer numbers, (non-negative) natural numbers, 
non-negative rational numbers, and non-negative real 
numbers, respectively. In the following, T denotes the do- 
main of time, and P the domain of the parameters; these 
domains will be instantiated with N, QĦ or R* subse- 
quently. Throughout this survey, let d denote an integer 
constant in Z, and d* denote a non-negative constant 
in N. 

Let us assume a set X = {21,..., 24} of clocks, that 
are T-valued variables that evolve at the same rate. Let 
us assume a set P = {p1,..., pm} of parameters, i.e., 
unknown constants. A parameter valuation v is a func- 
tion v : P > P. Throughout this survey, symbols z, zi 
denote clocks whereas p, p; denote parameters. 

A parametric linear term is Ñ`; <;< m Qipi + d, with 
a; € Z; in the following plt will denote a parametric 
linear term. 

A (linear) inequality is x > plt, where x is a clock, plt 
a parametric linear term, and ™ € {<, <, >, >}. We give 
in Table 1 the conventions used throughout this survey 
concerning comparison operators. A (linear) constraint 
is a conjunction of linear inequalities. A (linear) diagonal 
constraint is a conjunction of either linear inequalities, 
or linear diagonal inequalities of the form x; — x; > plt. 

A simple inequality is either z ™ p or x x dt. A 
simple constraint is a conjunction of simple inequalities. 


2.2 A unified syntax for parametric timed automata 


The syntax of PTAs varies a lot in the literature; we 
give below a definition that should include most defi- 
nitions in the literature, and at least all definitions of 


the papers considered in this survey. That is, any defi- 
nition of PTAs can be obtained from the following one 
by adding restrictions such as removing the set of ac- 
cepting locations, forbidding invariants, restricting the 
domain of clocks or parameters, simplifying the syntax 
of the guards and invariants (e. g., forbidding diagonal 
constraints), etc. 


Definition 1 (Parametric timed automaton). 
A parametric timed automaton (PTA) is a tuple 
A = (X, L, lo, F, X, P, I, E), where: 
— X is a finite set of actions, 
— L is a finite set of locations, 
— lọ € L is the initial location, 
— F C Lisa set of accepting (or final) locations, 
— X is a set of clocks with domain T = Rt, 
— P is a set of parameters with domain P = R*+, 
— I is the invariant, assigning to every l € L a diagonal 
constraint I(l), and 
— E is a set of edges (1,g,a,R,l’) where l, € L are 
the source and destination locations, g is a diagonal 
constraint which is the transition guard, a € X, and 
RC X is a set of clocks to be reset. 





Given a PTA A and a parameter valuation v, the 
valuation of A with v, denoted by v(A), is the nonpara- 
metric PTA where each occurrence of p is replaced with 
u(p). If v assigns an integer (or rational) value to each pa- 
rameter, then v(A) is a TA. However, if some parameters 
are assigned to an irrational value, then v(A) belongs to 
the class of TAs with irrational constants, for which the 
reachability of a given location is undecidable [Mil00]. 

A clock is said to be a parametric clock if it is com- 
pared with at least one parameter in at least one guard 
or invariant; otherwise, it is a nonparametric clock. This 
notion is central when studying the decidability of prob- 
lems for PTAs with few clocks and parameters. 


Example 1. Consider the coffee machine in Fig. 1, mod- 
eled using a PTA with 4 locations, 2 clocks (xı and x2) 
and 3 parameters (p1,p2,p3). Both clocks zı and x2 
are parametric clocks. No diagonal constraints are used 
(in fact all constraints are simple constraints). The ma- 
chine can initially idle for an arbitrarily long time. Then, 
whenever the user presses the (unique) button (action 
press), the PTA enters location “add sugar”, resetting 
both clocks. The machine can remain in this location as 
long as the invariant (x2 < p2) is satisfied; there, the 
user can add a dose of sugar by pressing the button (ac- 
tion press), provided the guard (xı > pı) is satisfied, 
which resets x1. That is, the user cannot press twice the 
button (and hence add two doses of sugar) in a time less 
than pı. Then, pə time units after the machine left the 
idle mode, a cup is delivered (action cup), and the cof- 
fee is being prepared; eventually, p2 time units after the 
machine left the idle mode, the coffee (action coffee) is 
delivered. Then, after 10 time units, the machine returns 
to the idle mode—unless a user again requests a coffee 
by pressing the button. 


Semantics The semantics of a PTA A can be defined 
as the union over all parameter valuations v of the se- 
mantics of v(A). In the following, given ô € Rt, w+ ô 
denotes the valuation such that (w + 6)(x) = w(x) +6, 
for all x € X. Given R C X, we define the reset of 
a clock valuation w, denoted by [w]r, as the valuation 
resetting the clocks in R, and keeping the other clocks 
unchanged. Given a rational parameter valuation v, v(C) 
denotes the constraint over X obtained by replacing each 
parameter p in C with v(p). Likewise, given a clock val- 
uation w, w(v(C)) denotes the expression obtained by 
replacing each clock x in v(C) with w(x). We use the 
notation w|v = C to indicate that w(v(C)) evaluates to 
true. We write O for the clock valuation that assigns 0 
to all clocks. 





Definition 2 (Concrete semantics of a TA). Given 
a PTA A = (X, L,lọ, F, X, P,I, E), and a rational pa- 
rameter valuation v, the concrete semantics of v(A) is 
given by the timed transition system (S, so, —>), with 


-S = {(l,w) € L x RĦ*¥ | ww H ID}, 
= s0 = (lo, 0), 
— — consists of the discrete and (continuous) delay 
transition relations: 
—discrete transitions: (Lw) $ (U/,w’), if 
(l, w), (U, w’) € S, there exists e = (l, g,a, R,l’) € 
E, w = [w]r and wlv E g. 
— delay transitions: (l, w) 2 (l, w+ô), with ô € Rt, 
if Vô’ € [0, 6], (1, w +6’) € S. 








Moreover we write (l, w) +4 (U, w’) for a sequence of 
delay and discrete transitions where ((l, w), e, (U, w’)) € 
= if 3d, w” : (I, w) > (Lw) $ U, w’). 

Given a TA v(A) with concrete semantics (S, so, >), 
we refer to the states of S as the concrete states of v(A). 
A concrete run of v(A) is an alternating sequence of con- 
crete states of v(A) and edges starting from the initial 
concrete state so of the form so © s1 B- “@5" Sms 
such that for all i = 0,...,m—1, e; E€ E, sig. € S, 
and (si, €i, 5:41) E +>. Given a concrete state s = (l, w), 
we say that s is reachable (or that v(A) reaches s) if 
s belongs to a concrete run of v(A). By extension, we 
say that l is reachable in v(A). A run is maximal if it 
is either infinite, or cannot be extended by any discrete 
transition (possibly after some delay transition). 





A finite run sp 3 s1 $- ae (lm, Wm) is accepting 
iflm E F. 

The accepted timed language is the set of timed 
words (alternating sequences of actions and time elaps- 
ing) associated with an accepting run, i.e., a run ending 
in a location of F (or, in some works, passing infinitely 
often by a location in F). Note that some works make a 
difference between finite and infinite runs. The untimed 
language of a TA is the timed language projected onto 
the actions. The set of traces (or trace set) is the set of 
accepting runs projected onto the locations and actions, 








Figure 1: A coffee machine modeled using a PTA 


i.e., a set of alternating locations and actions. This is 
a nonstandard definition of traces (compared to e.g., 
[Gla90]), but we keep this term as it is used in, e.g., 
[And+09; AM15]. 

A symbolic semantics is also defined for PTAs 
in [Hun+02; And+09; JLR15] as a parametric zone 
graph, where a symbolic state is made of a discrete part 
(the current location) and a symbolic, continuous part (a 
set of diagonal constraints, i. e., 7; — xj > plt, sometimes 
allowing disjunctions). 


Simple PTAs We define simple PTAs as the subclass 
of PTAs where guards and invariants are simple con- 
straints. We propose this class to show that, even in this 
restricted situation, all non-trivial problems are unde- 
cidable (Section 3). 


Variants of the PTA syntax PTAs were first defined 
in [AHV93] using a set of accepting locations. This is 
similar to timed automata [AD94]. Timed safety au- 
tomata were introduced later in [Hen+94] by removing 
the final locations, but adding invariants to locations; 
many subsequent papers then refer to timed safety au- 
tomata as simply “timed automata”. When timed au- 
tomata with accepting locations are equipped with Biichi 
conditions (to be accepting, an infinite timed word must 
pass infinitely often through at least one of the accepting 
locations), they are referred to as timed Biichi automata. 
It was shown that the timed expressive power of timed 
safety automata is strictly less than that of timed Btichi 
automata [HK W95]. 

The syntax of PTAs differs in most of the papers 
in the literature. Concerning guards and invariants, 
in [AHV93] (resp. [Mil00]), guards (resp. guards and 
invariants) are conjunctions of inequalities of the form 
x & p. In [Hun+02; BLO9], guards are conjunctions of 
inequalities of the form z; — x; < pltU{oo}; in [Hun+02] 
invariants have the same form as guards (invariants are 
not considered in [BL09]). In [And+09], any linear con- 
straint over X U P is allowed in guards and invariants. 
In [Doy07], guards and invariants are all open, i.e., of the 
form z <> p or x <> d+. In [JLR15; ALR16b], guards 


and invariants are conjunctions of inequalities of the 
form x & plt; in addition, in [JLR15] invariants can only 
bound clocks from above (i.e., x < plt). In [Ben+15], 
guards are conjunctions of inequalities of the form x & p 
and invariants can only bound clocks from above (i.e., 
x < p). In [AM15], guards and invariants are conjunc- 
tions of inequalities of the form z = p + d, x ™ dt or 
pX d (although the proofs of undecidability only need 
inequalities of the form x ™ p or x X d*). In [ALR15; 
ALR 16a], guards and invariants are conjunction of sim- 
ple inequalities. 

A set of accepting locations is considered in [AHV93; 
BLO9; Ben+15; ALR16b], but only [BL09] is interested 
in infinite accepting runs, i.e., runs that pass infinitely 
often by an accepting location; hence this latter work 
considers what could be referred to as parametric timed 
Biichi automata. In contrast, [Mil00; Hun+02; Doy07; 
And+09; JLR15; AM15; ALR16a] consider parametric 
timed safety automata (i.e., without accepting loca- 
tions). 


Remark 1. The restriction that the invariants can only 
bound clocks from above (i.e., x < plt) is not a real re- 
striction: in timed automata, invariant that bound clocks 
from below (i.e., d < x) can be moved to all incoming 
edges. The same applies to PTAs. In other words, papers 
defining PTAs requiring invariants to use only invariants 
with clocks bounded from above are equivalent to PTAs 
with no restrictions at all on the invariants. 


Expressiveness A comparison of the expressiveness of 
these different syntactic models remains to be done. 
Whereas it is likely that allowing constraints of the form 
xXx plt may be simulated using constraints of the form 
x X p | dt (perhaps adding additional locations, clocks 
and parameters), the expressiveness may differ when 
adding a set of accepting locations. In fact, the expres- 
siveness of a PTA was not even defined, until we re- 
cently proposed two first possible definitions [ALR16b]: 
the expressiveness of a PTA A (with accepting locations) 
is either the union over all parameter valuations of the 
accepted untimed words (“untimed language of A”), or 


the union over all parameter valuations of pairs made of 
an accepted untimed word and the associated valuation 
(“constrained untimed language of A”). Then, several 
subclasses of PTAs are compared w.r.t. these two defi- 
nitions. 

However, no comparison of the syntax used in guards 
and invariants was proposed. A challenging future work 
would be to show that a PTA with constraints of the 
form x & plt can be for example translated into an equiv- 
alent PTA with constraints of the form x x p | dt at 
the cost of n additional clocks and/or parameters. 


2.8 Decision and computation problems 


Following the presentation in [JLR15], given a class of 
decision problems P (reachability, unavoidability, etc.), 
let us define the P-emptiness, the P-universality and the 
P-finiteness. 


P-emptiness problem: 

INPUT: A PTA A and an instance ¢ of P 

PROBLEM: Is the set of parameter valuations v such 
that v(A) satisfies 6 empty? 


P-universality problem: 

INPUT: A PTA A and an instance ¢ of P 

PROBLEM: Are all parameter valuations v such that 
v(A) satisfies 6? 


P-finiteness problem: 
INPUT: A PTA A and an instance ¢ of P 


PROBLEM: Is the set of parameter valuations v such 
that v(A) satisfies ¢ finite? 





In this survey, we mainly focus on reachability and 
unavoidability properties, and call them EF and AF re- 
spectively.' For example, given a PTA A and a subset G 
of its locations”, EF-emptiness asks: “is the set of pa- 
rameter valuations v such that at least one location of G 
is reachable in v(A) empty?” And AF-universality asks: 
“are all parameter valuations v such that any location 
in G is unavoidable in v(A)?” We will also mention the 
EG property, that checks whether there exists a maxi- 
mal run along which the locations remain in G, and the 
AG property that checks whether the locations remain 
in G for all runs.’ 

Additionally, we will consider the language (resp. 
trace) preservation (emptiness) problem [AM15]: given a 
PTA A and a parameter valuation v, does there exist an- 
other valuation v’ Æ v such that the untimed languages 
(resp. sets of traces) of v(A) and v’(A) are the same? 


1 The names EF, AF, EG, AG were first used for PTAs 
in [JLR15], and come from the CTL syntax. 

2 In general, it can be handful to set G = F; but as not all 
definitions of PTAs in the literature have accepting locations, we 
use here the set G to denote goal locations. 

3 Note that EF-, AF-, EG-, and AG-emptiness are equivalent to 
AG-, EG-, AF-, EF-universality, respectively. 





We finally define the following computation problem: 


P-synthesis problem: 
INPUT: A PTA A and an instance ¢ of P 


PROBLEM: Compute the parameter valuations such 
that v(A) satisfies ¢. 





For example, given a PTA A and a subset G of its 
locations, EF-synthesis consists in synthesizing parame- 
ter valuations v such that at least one location of G is 
reachable in v(A) from the initial state. 


Example 2. Let us exemplify some decision and com- 
putation problems for the PTA in Fig. 1. Assume the 
unique target location is “done”, i.e, Œ = {done}. 
EF-emptiness asks whether the set of parameter val- 
uations that can reach location “done” for some run 
is empty; this is false (e.g., pı = 1, po = 2, pa = 3 
can reach “done” ). EF-universality asks whether all pa- 
rameter valuations can reach location “done” for some 
run; this is false (no parameter valuation such that 
p2 > p3 can reach “done”). AF-emptiness asks whether 
the set of parameter valuations that can reach location 
“done” for all runs is empty; this is false (e. g., pı = 1, 
p2 = 2, ps = 3 cannot avoid “done”). EF-synthesis 
consists in synthesizing all valuations for which a run 
reaches location “done”; the resulting set of valuations 
is 0 < p2 < p3 < 10 A^ pı = 0. 


3 Almost everything is undecidable for simple 
PTAs 


In this entire section, we consider simple PTAs without 
restriction on the number of clocks and parameters. In 
that situation, all non-trivial problems studied in the lit- 
erature are undecidable, with the exception of the mem- 
bership problem (that asks whether the language of a 
valuated PTA is empty)—which is rather a problem for 
TAs. By non-trivial, we mean requiring a semantic anal- 
ysis, and not, e.g., a sole analysis of the syntax of the 
PTA (e. g., “is the number of clocks even”, or any prob- 
lem defined in Section 2.3 by setting G = L). 

We also show that bounding time (Section 3.3) or 
bounding the parameter domain for rational-valued 
parameters (Section 3.4) preserves the undecidability. 
However, we will show in Section 4 that bounding the 
number of clocks and/or parameters brings decidability. 

All proofs of undecidability reduce from either the 
halting problem, or the boundedness problem, of a 2- 
counter machine, both known to be undecidable [Min67]. 


3.1 Decidability of the membership 


In [AHV93], the membership problem for PTAs is de- 
fined as follows: given a PTA A and a parameter valua- 
tion v, is the language of v(A) empty? The membership 


problem is not strictly speaking a problem for PTAs, but 
rather for TAs, since it considers a valuated PTA. As a 
consequence, the decidability of this problem only relies 
on known results for TAs. 

On the one hand, the membership problem is de- 
cidable (and PSPACE-complete) for PTAs over discrete 
time (T = N and P = N), over dense time with integer- 
valued parameters (T = Rt and P = N), and over 
dense time with rational-valued parameters (T = R+ 
and P = Q) [AD94]. 

On the other hand, the membership problem be- 
comes undecidable with real-valued (in fact irrational) 
parameters. Indeed, the reachability of a location in a TA 
with irrational constants is undecidable [Mil00]. The idea 
is to encode a 2-counter machine using 2 clocks x; and x2 
(plus an additional third clock), where the value c; of 
counter 7 is encoded using z; = c; x T, for i € {1,2}, 
with 7 the irrational constant (the value v2 is suggested 
for T). 


3.2 General undecidable problems 


EF-emptiness The seminal paper on PTAs [AHV93] 
showed that the EF-emptiness problem is undecidable 
for PTAs, both over discrete time, and over dense time 
(real-valued clocks and real-valued parameters). The 
proof consists in reducing from the halting problem of 
a 2-counter machine. The idea of the encoding of the 2- 
counter machine is to use parameters (the value of which 
can be arbitrarily large) to encode the maximum value of 
the counters. Although not explicitly stated in [AHV93], 
the proof of undecidability also works for real-valued 
clocks with integer-valued parameters. 


AF-emptiness In [JLR15], it is proved that the AF- 
emptiness is undecidable for L/U-PTAs (a subclass of 
PTAs, see Section 5) with 3 clocks and 4 integer-valued 
parameters, and hence for PTAs as well. Again, the proof 
of undecidability consists in reducing from the halting 
problem of a 2-counter machine. Another proof is pro- 
vided in [ALR16a] that uses 3 clocks and only 2 rational- 
valued parameters. 


AG-emptiness In [ALR16al, it is proved that the AG- 
emptiness problem is undecidable with 3 clocks and 2 
rational-valued parameters. 


EG-emptiness In [AL17a], it is proved that the EG- 
emptiness problem is undecidable with 4 clocks and 3 
parameters. 


Remark 2. For all three previous problems (AF- 
emptiness, AG-emptiness and EG-emptiness), the re- 
sult is in fact proved for a subclass of PTAs—namely 
L/U-PTAs for AF-emptiness and EG-emptiness, and 
bounded integer-points PTAs (see Section 6.3) for AG- 
emptiness—so the number of clocks and parameters 


needed for the encoding is certainly not minimal for gen- 
eral PTAs, and might therefore be reduced using smarter 
constructions. 


Remark 3. Note that the undecidability of all of these 
problems rules out the possibility to perform exact para- 
metric model checking of CTL-like properties on PTAs. 


Language and trace preservation problems Both the lan- 
guage preservation and the trace preservation problems 
are undecidable for simple PTAs [AM15]. The contin- 
uous (or robust) versions of those problems addition- 
ally require that the language (resp. set of traces) is 
preserved under any intermediary valuation of the form 
A-u+(1—A)-v’, for A € [0, 1] (with the classical definition 
of addition and scalar multiplication). 

The language preservation problems and its contin- 
uous version are undecidable for a PTA with at least 
4 parametric clocks [AM15]. 

The trace preservation and its continuous version are 
undecidable too; the proof of this result comes with three 
flavors: 


1. the first proof involves diagonal constraints (i.e., of 
the form z; — xj > plt, which goes beyond the syntax 
of simple PTAs), but only a fixed number of paramet- 
ric clocks [AM15]; 

2. the second proof does not involve diagonal con- 
straints. It involves a bounded number of locations 
(but with an unbounded number of transitions) and 
an unbounded number of parametric clocks; by un- 
bounded we mean not constant but depending on the 
size of the counter-machine [AM15]; 

3. the third proof uses a bounded number of clocks 
and parameters, and an unbounded number of lo- 
cations [ALM18]. 


The need for an unbounded number of clocks in the 
first two versions of this proof comes from the fact that 
the proof encodes the 2-counter machine with a fixed 
number of locations (to reduce easily from language 
preservation to trace preservation), which thus requires 
to encode each location with a different clock. Note that 
the first two versions of the proof are, to the best of our 
knowledge, the only attempt to model a 2-counter ma- 
chine using PTAs with a constant number of locations 
(at the cost of an unbounded number of clocks). 


8.3 Bounding time 


Bounded-time model checking consists in checking a 
property within a bounded time domain. That is, we 
assume a predefined time bound (say T), and we only 
consider the system behavior in the time interval [0, T]. 
Undecidable problems might become decidable in this 
situation, or be of a lower complexity. For example, the 
language inclusion for timed automata becomes decid- 
able over bounded-time [OW10], although it is unde- 


cidable in general. In addition, time-bounded reachabil- 
ity becomes decidable for a special subclass of hybrid 
automata with monotonic (either non-negative or non- 
positive) rates [Bri+13], although it is undecidable in 
general. 

In contrast, the EF-emptiness problem remains un- 
decidable for (general) PTAs over bounded, dense 
time [Jov13, Theorem 3.4]. 

This said, we emphasize that (quite trivially) model 
checking discrete-time PTAs over bounded-time would 
become decidable; the same is likely to hold for 
dense-time PTAs with integer-valued parameters over 
bounded-time. (This remains to be shown formally 
though.) 


3.4 Bounding the parameter domain 


Bounding the parameter domain consists in setting a 
minimal and a maximal (non-infinite) bound on the pos- 
sible parameter valuations of a PTA. 


Decidability for integer-valued parameters For integer 
parameters, any problem for a PTA over a bounded pa- 
rameter domain is decidable iff the corresponding prob- 
lem is decidable for a TA. In fact, the P-emptiness prob- 
lem for PTAs with bounded integer is PSPACE-complete 
for any class of problems P that is PSPACE-complete 
for TAs [JLR15]. Indeed, it suffices to enumerate all pa- 
rameter valuations, of which there is a finite number. 
As a consequence, EF-, AF-, EG-, AG-emptiness are 
all decidable; and so are language and trace preserva- 
tion. More generally, the whole TCTL model checking, 
including reachability and unavoidability, is PSPACE- 
complete [ACD93], and therefore the corresponding 
emptiness problems are PSPACE-complete for PTAs 
with bounded integer parameters. 

In [JLR15], a symbolic method is proposed to com- 
pute EF- and AF-synthesis; experiments showed that 
this symbolic computation is faster than an exhaustive 
enumeration (using UPPAAL). 


Undecidability for rational-valued parameters For 
rational-valued parameters, the EF-emptiness 
problem is undecidable for a single parameter in 
[1,2] [Mil00]. EG-emptiness [AL17a], AF- and AG- 
emptiness [ALR16a], as well as language and trace 
preservation [AM15] are also undecidable for one or 
two rational-valued bounded parameter(s) (typically 
bounded by [0, 1]). 


4 Bounding the numbers of clocks and 
parameters 


4.1 EF-emptiness 


Since the seminal paper on PTAs [AHV93], the decid- 
ability of the EF-emptiness problem was studied in var- 


ious settings, by bounding the number of parametric 
clocks, of nonparametric clocks, and of parameters. The 
syntax was also restrained. 

We summarize these results in Table 2.4 We only 
keep in Table 2 the best known results as of the cur- 
rent state of the art. For example, the decidability of the 
EF-emptiness problem over dense time with 1 paramet- 
ric clock and arbitrarily many nonparametric clocks and 
integer-valued parameters as proved in [AHV93] with a 
non-elementary complexity does not appear in Table 2 
as it is subsumed by [Ben+15] with an NEXPTIME com- 
plexity and a more permissive syntax (use of invariants). 

The open question of the syntax expressiveness re- 
quires to consider a multi-dimensional table: we need to 
consider not only the number of clocks and parameters, 
but also the syntax allowed in guards and invariants. 
For example, for the undecidability over discrete time, 
[Ben+15] improves the number of parameters when com- 
pared to [AHV93] (6 instead of 1), but requires both 
strict and non-strict inequalities, whereas [AHV93] uses 
only equalities in their construction; it is therefore un- 
clear whether the result of [AHV93] is really subsumed 
by [Ben+15]. However, following Remark 1, we consid- 
ered that the works requiring invariants to contain only 
clocks bounded from above impose in fact no constraint 
on the invariants form (as the clocks bounded from be- 
low can be moved to the incoming guards). 

“Consequence” indicates a result originally proved 
for a less expressive or a more expressive setting; “at 
most” in the complexity column indicates in the latter 
case that the complexity is necessarily lower or equal to 
that of the more expressive setting. For example, [Mil00] 
proved that the single clock case is PTIME over dense 
time with a fixed number of rational-valued parame- 
ters, and therefore the corresponding problem cannot be 
harder over discrete time (with integer-valued parame- 
ters). 

In the following, we extract the most important re- 
sults out of Table 2. The decidability is clearly impacted 
by the number of parametric clocks, and we therefore 
reason by the number of parametric clocks. 


Main results: 1 parametric clock First, let us consider 
PTAs with a single parametric clock: The EF-emptiness 
problem is (at most) NP-complete over discrete and 
dense time with no nonparametric clock and arbitrar- 
ily many parameters [Mil00]. 

It is decidable and NEXPTIME-complete over 
discrete time with arbitrarily many nonparametric 
clocks [Ben+15]. Over dense time with arbitrarily many 
nonparametric clocks and integer-valued parameters, it 
is NEXPTIME [Ben+15]. 

It is  undecidable with three nonparametric 
clocks [Mil00] over dense time with rational-valued 


4 This table is partially inspired by a similar table in [Doy07], 
improved by adding more dimensions, and of course more recent 
results. 
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Table 2: Decidability of the EF-emptiness problem for general PTAs 


parameters; note that this problem is decidable over 
discrete time [AHV93; BO14; Ben+15] and over 
dense time with integer-valued parameters [Ben+15], 
which exhibits a difference between dense and dis- 
crete time [Mil00], as well as between integer- and 
rational-valued parameters over dense time. 


Main results: 2 parametric clocks Second, let us con- 
sider PTAs with two parametric clocks: the EF- 
emptiness problem is decidable over discrete time with 
arbitrarily many nonparametric clocks and a single pa- 
rameter, and is PSPACEN©X?_hard [BO14]. 

Over dense time with rational-valued parameters, 
the case with 2 parametric clocks and 2 nonparamet- 
ric clocks is undecidable: [Mil00] gives a proof of unde- 
cidability with 1 parametric clock and 3 nonparametric 
clocks: comparing one of the nonparametric clocks with 
a parameter in an additional location (e.g., after the 
halting location) does not impact the proof and turns a 
nonparametric clock into a parametric one. 

Any other case with two parametric clocks remains 
open. 


Main results: other undecidability The EF-emptiness 
problem is undecidable in all settings with three (or 
more) parametric clocks. 

Finally, using only strict inequalities, the EF- 
emptiness problem is undecidable over dense time for 


two parametric clocks, three nonparametric clocks and 
two parameters [Doy07]; this situation was not consid- 
ered over discrete time. 


Open cases The main open case is the “two parametric 
clocks” case. The decidability is open for 2 parametric 
clocks with: 


— over discrete time: arbitrarily many nonparametric 
clocks and more than one parameter; 

— over dense time with integer-valued parameters: arbi- 
trarily many nonparametric clocks and parameters; 

— over dense time with rational-valued parameters: 0 
or 1 nonparametric clock and any number of param- 
eters. 


In addition, the decidability remains open over dense 
time with rational-valued parameters for 1 nonparamet- 
ric clock, 1 or 2 nonparametric clocks and arbitrarily 
many parameters. 

Finally, the decidability using only strict inequalities 
remain open for cases not considered by [Doy07]: less 
clocks and parameters, or with integer-valued parame- 
ters (both over dense and discrete time). 


4.2 Language and trace preservation 


Let us first recall the definition of determinism 
from [AM15]. We say that a PTA is deterministic if, 


for any l € L, for any a € X, there exists at most one 
edge (l, g,a, R, l) € E, for some g, R, l. (Note that it dif- 
fers from a rather common definition of determinism for 
TAs, that allows two or more outgoing transitions with 
the same action label provided that the corresponding 
guards are pairwise disjoint.) 

The language- and trace-preservation problems are 
decidable for deterministic PTAs with a single (para- 
metric) clock, and with linear parameter constraints al- 
lowed in guards and invariants, i. e., of the form x r plt 
or plt œx 0 [AM15]. A procedure to compute parameter 
valuations with the same trace set as a given valuation 
is proposed in [AM15] (close to the “inverse method” 
[And+09]), that is complete for deterministic PTAs, and 
terminates in the case of a single clock. 


4.8 Parametric model checking 


Parametric model checking was addressed in different 
settings: verifying a nonparametric model against a para- 
metric formula, or a parametric model against a non- 
parametric formula, or a parametric model against a 
parametric formula. 


Nonparametric model / parametric formula 
In [Alu+01], an extension of LTL with parameters 
in the formula (“PLTL”) is studied. When only 
parametric “always” modalities are allowed of the 
form “< p”, checking emptiness of the valuation set 
is PSPACE-complete. The solution to the synthesis 
problem is doubly exponential in the number of param- 
eters. However, when allowing equality in PLTL, the 
emptiness problem becomes undecidable [Alu+01]. 


Parametric model / nonparametric formula In [Qual4], 
it is shown that model checking PTAs with the (nonpara- 
metric) logic MTL [Koy90] is undecidable, even with a 
single clock and a single parameter, and even when the 
PTAs is deterministic. This negative result comes in con- 
trast to the decidability of the EF-emptiness problem 
for one-clock PTAs, and to the decidability of MTL- 
model checking for (nonparametric) timed automata in 
the pointwise semantics over finite timed words [OWO07]. 
Note that the proof of undecidability of [Qua14] requires 
the parameters to be rational-valued (integer-valued pa- 
rameters are not sufficient—and this latter case can 
hence be considered as open). 


Parametric model / parametric formula Model check- 
ing a PTA over discrete time with a single parametric 
clock against a PTCTL formula (a parametric version 
of TCTL) is decidable, provided the formula does not 
use equality constraints; otherwise the problem becomes 
undecidable [BR07]. 


4.4 Other problems: open 


Other problems are open. However, two constructions 
were recently proposed for the one parametric clock case, 
that may help solve most problems in this particular 
setting. First, in [AM15], we show that the parametric 
zone graph is finite for a single (parametric) clock and 
arbitrarily many rational-valued parameters over dense 
time. This implies that all problems that reason on the 
zone graph can be decided. This includes in particular 
EF-, EG-, AF and AG-emptiness, as well as the language 
and trace preservation problems. 

Second, in [Ben+15], an abstraction is proposed for 
one parametric clock and arbitrarily many nonparamet- 
ric clocks and integer-valued parameters over dense time. 
Although this remains to be shown formally, this ab- 
straction (based on the elimination of the nonparamet- 
ric clocks followed by a corner-point abstraction on the 
subsequent region graph) apparently preserves enough 
elements of the region graph to be used to solve all afore- 
mentioned problems. 

In both cases, the synthesis seems also to be feasible. 


5 The (quite) disappointing class of L/U-PTAs 


Lower-bound/upper-bound parametric timed automata 
(L/U-PTAs), proposed in [Hun+02], restrict the use of 
parameters in the model. A parameter is said to be an 
upper-bound parameter if, whenever it is compared with 
a clock, it is necessarily compared as an upper bound, 
i.e., it only appears in inequalities of the form x < p. 
Conversely, a parameter is a lower-bound parameter if it 
is only compared with clocks as a lower bound, i.e., of 
the form p < zx. 

An L/U-PTA is a PTA where the set of parameters 
is partitioned into upper-bound parameters and lower- 
bound parameters. In [BL09], two additional subclasses 
are introduced: L-PTAs (resp. U-PTAs) are PTAs with 
only lower-bound (resp. upper-bound) parameters. 


Example 3. Consider again the coffee machine in Fig. 1, 
modeled using a PTA A. This PTA is not an L/U-PTA; 
indeed, in the guard x2 = pə (resp. £2 = p3), p2 (resp. p3) 
is compared with clocks both as a lower-bound and as 
an upper-bound. (Recall that = stands for < and >.) 

However, if one replaces £2 = p2 with z2 < po and 
one replaces z2 = p3 with £2 < p3, then A becomes an 
L/U-PTA with lower-bound parameter pı and upper- 
bound parameters {p2, p3}. Note that equalities are not 
forbidden in L/U-PTAs (e. g., xı = 10), but only equal- 
ities involving parameters. 


Several case studies fit into the class of L/U-PTAs: 
the root contention protocol, the bounded retransmis- 
sion protocol and the Fischer mutual exclusion proto- 
col are all modeled with L/U-PTAs in [Hun+02]; in 


[Hun+02; KP12], both the Fischer mutual exclusion pro- 
tocol and a producer-consumer are verified using L/U- 
PTAs. Interestingly, the two case studies of the seminal 
paper on PTAs [AHV93] (viz., a toy railroad crossing 
model and a model of Fischer mutual exclusion protocol) 
are also L/U-PTAs, although the concept of L/U-PTAs 
had not been proposed yet at that time. In addition, 
most models of asynchronous circuits with bi-bounded 
delays (i.e., where each delay between the change of an 
input signal and the change of the corresponding out- 
put is a parametric interval) can be modeled using L/U- 
PTAs. 

L/U-PTAs were first known for their decidability 
results (Section 5.1); then, new undecidability results 
(Sections 5.2 and 5.3) rendered this class less interest- 
ing. The most disappointing aspect of L/U-PTAs is the 
impossibility to perform exact synthesis even when the 
associated decision problems are decidable. We review 
these results in the remainder of this section. 


5.1 A main decidability result 


The first (and main) positive result for L/U-PTAs is 
the decidability of the EF-emptiness problem [Hun+02]. 
L/U-PTAs benefit from the following interesting mono- 
tonicity property: increasing the value of an upper- 
bound parameter or decreasing the value of a lower- 
bound parameter necessarily relaxes the guards and 
invariants, and hence can only add behaviors. Hence, 
checking the EF-emptiness of an L/U-PTA can be 
achieved by replacing all lower-bound parameters 
with 0, and all upper-bound parameters with oo; this 
yields a nonparametric TA, for which emptiness is 
PSPACE [AD94]. This procedure is not only sound but 
also complete. 

Further decidability results are exhibited in [BL09], 
for infinite runs acceptance properties, i. e., where a loca- 
tion is met infinitely often (a problem to which we refer 
hereafter as Biichi). Note that, in contrast to [Hun+02] 
where the parameters are valued with non-negative re- 
als, the results in [BLO9] consider integer-valued pa- 
rameters (though time is dense, i.e., clocks are real- 
valued). It is shown in [BL09] that Biichi-emptiness, 
Biichi-universality, and Biichi-finiteness are PSPACE- 
complete. Remark that the decidability of the Biichi- 
finiteness is due to the fact that the parameters are 
integer-valued; in short, a sufficient bound is computed 
on the parameters, and then valuations smaller or equal 
to this bound are enumerated, which would not be fea- 
sible for real- or rational-valued parameters. 

Oddly, the decidability of EF-universality was never 
shown for L/U-PTAs. On the one hand, EF-emptiness 
is decidable for L/U-PTAs with rational-valued param- 
eters [Hun+02]. On the other hand, Biichi-universality 
is decidable for L/U-PTAs with integer-valued parame- 
ters [BLO9], and this result extends in a very straight- 
forward manner to EF-universality for L/U-PTAs with 
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integer-valued parameters. Let us first extend Biichi- 
universality to rational-valued parameters. The result 
mainly consists in a reasoning dual to [AL17a, Lemma 2]. 


Proposition 1. The Biichi-universality problem is 
PSPACE-complete for L/U-PTAs with rational-valued 
parameters. 


Proof. We aim at proving that, given an L/U-PTA A and 
a subset of its locations G, the problem of the universal- 
ity of the set of parameter valuations v such that v(A) 
has a run passing infinitely often through G is PSPACE- 
complete. Let us prove that the set of rational valuations 
satisfying the property is not universal iff the set of in- 
teger valuations doing so is not universal. 


< Considering that integer valuations are also rational 
valuations, the result trivially holds. 

Assume there exists a rational-valued parameter val- 
uation v for which v(A) contains no infinite run pass- 
ing infinitely often through locations of G. Let v’ be 
the integer parameter valuation obtained from v as 


=> 


follows: 
u(p) if v(p) E€ N 

v'(p) = ¢ |v(p)| ifp is an upper-bound parameter 
[u(p)| if p is a lower-bound parameter 


That is, v’ is more restrictive than p, and less guards 
will be enabled, and therefore less behaviors will 
be possible in v(A). Formally, from the well-known 
monotonicity property of L/U-PTAs (recalled in e. g., 
[AL17a, Lemma 1]), if v(A) yields no infinite run 
passing infinitely often through locations of G, then 
neither does v’(A). 


Now, in [BL09, Theorem 8], it is proved that the prob- 
lem of the universality of the set of integer parameter 
valuations for which there exists an infinite run passing 
infinitely often through G is PSPACE-complete. This 
concludes the proof. o 


This result extends trivially to EF-universality (by 
adding self-loops with no guard on all accepting loca- 
tions). 


Corollary 1. The EF-universality problem is 
PSPACE-complete for L/U-PTAs with rational-valued 
parameters. 


5.2 Undecidability results 


The first undecidability results for L/U-PTAs are shown 
in [BL09]: the constrained Büchi-emptiness problem and 
constrained Büchi-universality problem are undecidable 
for L/U-PTAs. By constrained it is meant that some pa- 
rameters of the L/U-PTA can be constrained by an ini- 
tial linear constraint, e. g., pı < 2X p2+p3. Indeed, using 


linear constraints, one can constrain an upper-bound pa- 
rameter to be equal to a lower-bound parameter, and 
hence build a 2-counter machine using an L/U-PTA. 
However, when no upper-bound parameter is compared 
to a lower-bound parameter (i.e., when no initial linear 
inequality contains both an upper-bound and a lower- 
bound parameter), these two problems retrieve decid- 
ability [BL09]. The exact decidability frontier may not 
be found yet: the case where a lower-bound parameter is 
constrained to be less than or equal to an upper-bound 
parameter fits in none of the considered cases. 

A second negative result is shown in [JLR15]: the AF- 
emptiness problem is undecidable for L/U-PTAs. This is 
achieved by a reduction from a 2-counter machine where 
a lower-bound parameter is equal to an upper-bound 
parameter iff AF holds. This restricts again the use of 
L/U-PTAs, as AF is essential to show that all possible 
runs of a system eventually reach a (good) state. 

Then, in [AM15], it is shown that the language 
preservation problem is undecidable for L/U-PTAs. 
Again, this is achieved by a reduction from a 2-counter 
machine where a lower-bound parameter is equal to an 
upper-bound parameter iff the language is preserved. 


5.8 A frontier between decidability and undecidability 


The EG-emptiness problem stands at the frontier be- 
tween decidability and undecidability [AL17a]. Recall 
that the EG-emptiness problem is false if there exists 
at least one parameter valuation for which a maximal 
run remains entirely within some predefined set G of lo- 
cations. That is, either this run is an infinite run, and 
therefore contains a cycle (remaining within G); or this 
run is a finite run (remaining within G), and therefore 
ends with a deadlock, i.e., ends with a state from which 
no discrete transition can be taken, even after letting 
some time elapse. 

On the one hand, deciding whether there exists a 
valuation in an L/U-PTA yielding a cycle is decidable 
(and PSPACE-complete). On the other hand, deciding 
whether there exists a valuation in an L/U-PTA yield- 
ing a deadlock is undecidable. (These two problems, not 
studied in this survey, are without surprise shown to be 
undecidable for general PTAs.) 

The EG-emptiness problem stands in between decid- 
ability and undecidability: while this problem is decid- 
able for L/U-PTAs with a bounded parameter domain 
with closed bounds, it becomes undecidable if either the 
assumption of boundedness or of closed bounds is lifted. 


5.4 Model-checking L/U-PTAs 


In [BL09], a parametric extension of the dense-time 
linear temporal logic MITLo,œ (denoted “PMITLo,..”) 
is proposed; when parameters are used only as lower 
or upper bound in the formula (to which we refer as 
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L/U-PMITLo,.0), satisfiability and model checking are 
PSPACE-complete; this is obtained by translating the 
formula into an L/U-PTA and checking an infinite ac- 
ceptance property. 

Then, in [DLN15], an extension of MITL allowing 
parametric linear expressions in bounds is proposed 
(yielding PMITL). Two sets of (integer-valued) param- 
eter valuations are considered: 1) the set of valuations 
for which a PMITL formula is satisfiable, i. e., for which 
there exists a timed sequence (possibly belonging to a 
given L/U-PTA) satisfying it, and 2) the set of valua- 
tions for which a PMITL formula is valid, i. e., for which 
all timed sequences (possibly belonging to a given L/U- 
PTA) satisfy it. Under some assumptions, the emptiness 
and universality of the valuation set for which a PMITL 
property is satisfiable or valid (possibly w.r.t. a given 
L/U-PTA) are decidable, and EXPSPACE-complete. 
Essential assumptions for decidability include the fact 
that parameters should be used with the same polarity 
(positive or negative coefficient, as lower or upper bound 
in the intervals) within the entire PMITL formula, and 
each interval can only use parameters in one of the end- 
points. Additional assumptions include that no interval 
of the PMITL formula should be punctual (nor empty), 
and linear parametric expressions are only used in right 
endpoints of the intervals (single parameters can still 
be used as left endpoints). In addition, two fragments 
of PMITL are showed to be in PSPACE, including one 
that allows for expressing parameterized response (“if an 
event occurs, then another event shall occur within some 
possibly parametric time interval” ). 


5.5 Summary of decidability problems for L/U-PTAs 


We summarize in Table 3 decision problems for L/U- 
PTAs. Cases not considered in the literature are not de- 
picted. 


5.6 Intractability of the synthesis 


The most disappointing result concerning L/U-PTAs is 
shown in [JLR15]: despite decidability of the underly- 
ing decision problem (EF-emptiness), the solution to 
the EF-synthesis problem for L/U-PTAs cannot be rep- 
resented using a formalism for which the emptiness of 
the intersection with equality constraints is decidable. 
The proof relies on the undecidability of the constrained 
emptiness problem of [BL09]. A very annoying conse- 
quence is that such a solution cannot be represented as 
a finite union of polyhedra (since the emptiness of the 
intersection with equality constraints is decidable). 


5.7 Two open classes: L-PTAs and U-PTAs 


L-PTAs and U-PTAs (introduced in [BL09]) are very 
open classes, in the sense that to the best of our knowl- 
edge, no result known to be decidable for L-PTAs (or 
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Table 3: Decision problems for L/U-PTAs over dense time 


U-PTAs) was shown undecidable for L/U-PTAs (and is 
hence either decidable or open). Conversely, and even 
stronger, no result known to be undecidable for L/U- 
PTAs was shown decidable for L-PTAs (or U-PTAs)— 
and remains open. 

To summarize, the EG-emptiness, AG-emptiness and 
AF-emptiness problems, as well as the language- and 
trace-preservation problems, are all undecidable for 
(general) L/U-PTAs, but remain open for L-PTAs and 
U-PTAs. 


Synthesis The synthesis for L-PTAs and U-PTAs did 
not receive much attention, with the exception of 
integer-valued parameters: in that case, it is possible to 
synthesize the solution to the Biichi-synthesis problem 
in the form of a union of linear constraints doubly expo- 
nential in the number of parameters [BL09]. The authors 
note that it remains open whether one can construct a 
linear constraint with a single exponential blow-up. This 
result does not extend in a straightforward manner to 
rational-valued parameters, as the technique in [BL09] 
(for U-PTAs) requires the computation of a sufficient 
upper bound, and then an exhaustive enumeration of 
parameters below this bound. 


6 Beyond parametric timed automata 


6.1 Parametric hybrid automata 


Hybrid automata [ACHHNHOSY95;, Alu+93; Hen96] 
are an extension of timed automata where clocks (called 
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continuous variables) can have an arbitrary rate (i.e., 
non-necessarily equal to 1). 

The reachability of a location in linear hybrid au- 
tomata is undecidable, although semi-algorithms were 
proposed [ACHHNHOSY95j. Interestingly, the sim- 
ple extension of timed automata to stopwatch automata 
(where the elapsing of some clocks may be stopped in 
selected locations) yields a formalism as expressive as 
linear hybrid automata [CL00], and for which reachabil- 
ity is undecidable too. 

First, remark that parameters can be encoded natu- 
rally in the general class of hybrid automata, provided 
diagonal constraints are allowed (of the form v; — vj >< c, 
with v;,v; variables and c a constant): a parameter is a 
variable that is not initialized (its initial value is arbi- 
trary), the rate of which is always 0 (therefore constant), 
and that is never reset along any transition. However, the 
undecidability results for linear hybrid automata rule out 
the possibility of exhibiting any decidability results for 
(general) parametric linear hybrid automata. 

Second, several subclasses of linear hybrid automata 
were defined in the literature, and were shown to enjoy 
some decidable results (e. g., [Hen+98; Bri+04; Asa+12; 
BHS12; Bri+13]). However, obviously, any such subclass 
at least expressive as timed automata (such as [Hen+98; 
Bri+13]) would necessarily lead to undecidability when 
adding parameters. This is not the case of some of sub- 
classes of linear hybrid automata, which are incompara- 
ble (at least from a syntactic point of view) with timed 
automata (e.g., [Bri+04; BHS12]), or restrict the use 
and the number of variables [Asa+12]. We believe study- 
ing parametric extensions of these formalisms represent 
an interesting direction of research. 


6.2 Parametric interrupt timed automata 


Interrupt timed automata (ITAs) are a subclass of hy- 
brid systems where clock variables only have a rate of 0 
(stopped) or 1 (processing): in fact, ITAs define lev- 
els such that, at each level, exactly one clock is ac- 
tive (rate 1), while clocks of lower levels are stopped 
(rate 0) [BHS12]. In addition, guards can only involve 
clocks from the current level and the lower levels. Clock 
updates allow the use of linear expressions involving 
clocks from lower levels. The model is well-suited to de- 
fine real-time systems with multiple tasks running on 
a single processor and subject to interruption (where a 
lower-priority task can be preempted by a higher-priority 
task). A main positive result for ITAs is that reachabil- 
ity is in NEXPTIME (and in PTIME when the number 
of clocks is fixed). Interrupt timed automata and timed 
automata are incomparable in terms of timed language. 

In [Bér+16], ITAs are extended with parameters, 
which yields parametric ITAs (PITAs). When param- 
eters are combined with clock values in linear expres- 
sions as additive coefficients, the reachability in PITAs 
reduces to the same problem in nonparametric ITAs, and 
is therefore decidable (with an upper bound of 2EXP- 
TIME on the complexity, due to the reduction). When 
parameters are combined with clock values in linear ex- 
pressions as both additive and multiplicative coefficients, 
the reachability in PITAs remains decidable, with an 
upper bound of 2EXPSPACE on the complexity. This 
significantly increases the expressiveness of ITAs, and 
allows to model clock drifts. 

Finally, ITAs are extended to polynomial ITAs (Poll- 
TAs) in [Bér+15], where polynomial expressions on 
clocks are allowed in guards. Reachability remains de- 
cidable, and parameters can be used (without harming 
the complexity) in polynomials. 


6.3 Integer-point parametric timed automata 


Integer-point parametric timed automata (IP-PTAs) 
were introduced in [ALR16a] as a subclass of PTAs in 
which each state in the parametric zone graph (a con- 
struction with location and symbolic convex constraints 
over X U P) contains an integer point. The main posi- 
tive result for IP-PTAs with bounded (rational-valued) 
parameters is the decidability of the EF-emptiness prob- 
lem. However, the AF-emptiness and AG-emptiness 
problems are both undecidable. 

A more disappointing result is the undecidability of 
the membership problem, i.e., it is undecidable whether 
a PTA is an IP-PTA. In addition, synthesis is proved to 
be intractable (as for L/U-PTAs). 

However, a sufficient syntactic condition for the 
membership of IP-PTAs is the class of reset- 
PTAs [ALR 16a]: whenever a clock is compared to a pa- 
rameter in a transition guard (resp. in location invari- 
ant), then all clocks must be reset on that transition 
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(resp. along all transitions going out from that loca- 
tion). As a consequence, the EF-emptiness problem is 
decidable for bounded reset-PTAs too. In addition, we 
conjecture that the parametric zone graph of reset-PTAs 
should be finite, which would allow to prove the decid- 
ability of the AF, AG and EG-emptiness problems. This 
remains to be shown formally. 


6.4 Other formalisms 


Time Petri nets In parallel to timed automata, many 
works in the literature were dedicated to time Petri 
nets [Mer74], which are an extension of Petri nets where 
transitions are labeled with a firing interval, which repre- 
sents the duration between the time when the transition 
becomes enabled (enough tokens are present in the in- 
coming places) and the time it can actually fire. Time 
Petri nets and timed automata were compared in, e. g., 
[Bér+05; Srb08; Bér+13]. 

In [TLRO9], time Petri nets are extended with 
rational-valued parameters in firing intervals. Using 
translations between time Petri nets and timed au- 
tomata [Bér+05; CRO6], it is shown that the emptiness 
and reachability problems are undecidable for bounded 
parametric time Petri nets, and turn decidable when pa- 
rameters are only used as lower-bounds or upper-bounds, 
in the spirit of L/U-PTAs. Then, semi-algorithms are 
defined for the parametric model-checking of a subset of 
parametric TCTL formulas applied on parametric time 
Petri nets extended with inhibitor arcs (which play a 
similar role as stopwatches in timed automata). The tool 
ROMEO implements these algorithms. 


Stateful timed CSP In [And+12b], the process alge- 
bra stateful timed CSP [Sun+13] (itself an extension of 
Hoare’s communicating sequential processes [Hoa78]) is 
extended with parameters in syntactic constructs such 
as Wait, Deadline or Within, yielding PSTCSP. With- 
out surprise (as the expressiveness of PSTCSP is very 
close to that of PTAs), the emptiness of the valuation 
set for which a configuration is reachable is undecidable. 
Although most of the (timed) syntactic constructs al- 
lowed are not necessary for the proof of undecidability, 
the Wait construct (used to test an exact amount of 
time, similar to equality in timed automata) is exten- 
sively used. Decidability for subsets of the syntax with- 
out the Wait construct was not studied. PSTCSP is im- 
plemented in a tool PSyHCoS [And+13] implementing 
some parameter synthesis algorithms. 


7 Tools and applications 


7.1 Tools 


The first tool to support modeling and verification us- 
ing parametric timed automata was HyTEcH [HHW97]. 


In fact, Hy TECH supports linear hybrid automata (in- 
cluding clocks, parameters, stopwatches and general con- 
tinuous variables); it can compute the state space, and 
perform operations (such as intersection, convex hull, 
difference) between sets of symbolic states. Therefore, 
it can be used to perform parametric model checking 
using reachability checking [Ace+03]. HyTECH is not 
maintained anymore, but can still be found online in the 
form of a standalone binary for Linux.” 

In [Hun+02], an extension of UPPAAL implement- 
ing parametric difference bound matrices (PDBMs) and 
hence allowing for verification using PTAs is mentioned. 
However, this tool does not seem to be available any- 
where online. 

Romeo [Lim+09] primarily supports parametric 
time Petri nets (extended with stopwatches), a formal- 
ism shown to be close to PTAs in terms of expres- 
siveness [Bér+05; TLR09]. ROMEO supports the use of 
parametric linear expressions in the time intervals of 
the transitions, and allows to add linear constraints on 
the parameters to restrict their domain. ROMEO also 
implements an original algorithm for integer parame- 
ter synthesis using a symbolic (continuous) representa- 
tion [JLR15]. In addition, ROMÉO provides a simula- 
tor and an integrated model-checker supporting a sub- 
set of the TCTL syntax (including EF-synthesis and AF- 
synthesis). ROMEO is mainly written in C++, and makes 
use of the Parma Polyhedra Library [BHZ08]. 

IMITATOR [And+12a] is a software tool for para- 
metric verification and robustness analysis of PTAs aug- 
mented with integer variables and stopwatches. Param- 
eters can be used both in the model and in the prop- 
erties. Verification capabilities include EF-synthesis, 
deadlock-freeness-synthesis [And16a], non-Zeno model 
checking [And+17], and _ trace-preservation-synthesis. 
IMITATOR is fully written in OCaml, and makes use of 
the Parma Polyhedra Library [BHZ08]. It also features 
distributed capabilities to run over a cluster. 


7.2 Applications 


The formalism of PTAs has been used to model and 
verify various case studies featuring real-time constraints 
and parameters. 

Beyond the usual academic examples (such as vari- 
ants of train controllers [AHV93; Hun+02]), PTAs were 
also used to successfully specify and verify numerous in- 
teresting case studies such as the root contention pro- 
tocol [Hun+02], Philip’s bounded retransmission proto- 
col [Hun+02], a 4-phase handshake protocol [KP 12], the 
alternating bit protocol [JLR15], an asynchronous cir- 
cuit commercialized by ST-Microelectronics [Che-+09], 
(non-preemptive) schedulability problems [JLR15], a 
distributed prospective architecture for the flight control 
system of the next generation of spacecrafts designed 


5 https: //embedded.eecs. berkeley. edu/research/hytech/ 
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at ASTRIUM Space Transportation [Fri+12], an un- 
manned aerial video system by Thales®, and even anal- 
ysis of music scores [FJ13]. 


8 Open questions and perspectives 


Syntax and expressiveness A first perspective is to com- 
pare the expressiveness of the various syntaxes of guards 
and invariants for general PTAs used in the litera- 
ture. The definitions of expressiveness recently proposed 
in [ALR16a] could be reused for that purpose, using ei- 
ther untimed or timed languages. Comparing the expres- 
siveness of the syntaxes in the literature would reduce 
the number of dimensions for the various decidability 
results of the EF-emptiness problem studied in Table 2. 


Open decision problems A main open problem is the 
decidability of PTAs with two parametric clocks, that 
was only studied with a single integer-parameter [BO14]. 
Studying further the EG-, AF- and AG-emptiness prob- 
lems for few clocks and parameters (as it was quite ex- 
tensively done for EF-emptiness) remains to be done too, 
although the practical interest may be somehow debat- 
able. 

In addition, with the exception of [AM15], all proofs 
of undecidability in the literature use a bounded number 
of clocks and parameters, but an unbounded number of 
locations. Exhibiting a minimal number of locations (at 
the possible cost of an unbounded number of variables) 
may be of theoretical interest. 

More interesting (and promising) are the two open 
classes of L-PTAs and U-PTAs. These classes are non- 
trivial, and relate to the robust analysis of TAs: most 
robustness problems (see [Marl1; BMS13]) consider an 
enlargement of all guards by (usually) the same constant 
factor, whereas U-PTAs allow to enlarge or decrease 
some of the upper-bound guards by a possibly differ- 
ent rational-valued parameter, which gives an orthogo- 
nal definition of robustness. The language preservation 
problem remains open for U-PTAs [AM15] (except in 
the case of a single integer-valued parameter where it 
becomes decidable), and the question of the synthesis is 
also challenging. 


Hidden decidable subclasses? Despite many undecid- 
ability problems, PTAs were often used to model and 
verify various case studies (see Section 7). This can be 
seen as a paradox considering the numerous undecidabil- 
ity results PTAs suffer from. In fact, as the aforemen- 
tioned analyses terminate almost always with an exact 
result, it is challenging to understand why, and perhaps 
to exhibit further classes for which the problems consid- 
ered in this survey become decidable. 


6 nttps://www.imitator.fr/static/FMTV15/ 


Hybrid systems with parameters Some subclasses of lin- 
ear hybrid automata are incomparable with timed au- 
tomata (e. g., [Bri+04; Asa+12]), and parametric exten- 
sions could be studied. Recall that the class of interrupt 
timed automata benefits from decidability results even 
when extended with parameters [Bér+15]. 


Synthesis Whereas decision problems (considered in 
this document) were much studied, little interest has 
been dedicated to the synthesis of parameters, which 
should, however, be a main practical challenge. De- 
spite undecidability (in general [AHV93]) or intractabil- 
ity (for L/U-PTAs [JLR15]), semi-algorithms or approx- 
imated procedures could be devised; SMT-based tech- 
niques [KP 12], or the integer hull approximation [JLR15; 
ALR15] can serve as a basis for future works. Also note 
that two recent orthogonal works aimed at performing 
synthesis in a compositional manner [Ast+-16; AL17b]. 

Also, combining nonparametric analysis (e. g., with 
the efficient model checker UPPAAL) with parametric 
analysis, so as to find perhaps not all valuations, but 
at least some of them, is certainly a promising direction 
of research. 
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